CN112613041A - Container mirror image detection method and device, electronic equipment and storage medium - Google Patents
Container mirror image detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112613041A CN112613041A CN202011565572.6A CN202011565572A CN112613041A CN 112613041 A CN112613041 A CN 112613041A CN 202011565572 A CN202011565572 A CN 202011565572A CN 112613041 A CN112613041 A CN 112613041A
- Authority
- CN
- China
- Prior art keywords
- mirror image
- container mirror
- container
- vulnerability
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003860 storage Methods 0.000 title claims abstract description 25
- 238000001514 detection method Methods 0.000 title abstract description 32
- 238000000605 extraction Methods 0.000 claims abstract description 14
- 238000004806 packaging method and process Methods 0.000 claims abstract description 11
- 238000000034 method Methods 0.000 claims description 37
- 230000015654 memory Effects 0.000 claims description 19
- 230000006837 decompression Effects 0.000 claims description 5
- 238000007689 inspection Methods 0.000 claims description 3
- 230000008439 repair process Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 239000003826 tablet Substances 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Facsimiles In General (AREA)
Abstract
The embodiment of the disclosure provides a container mirror image detection method and device, electronic equipment and a storage medium, and belongs to the technical field of computers. The container mirror image detection method comprises the following steps: acquiring a mirror image of an original container to be detected; packaging the original container mirror image to obtain a primary container mirror image; decompressing the preliminary container mirror image to obtain the target container mirror image; performing feature extraction on the target container mirror image through a Clair tool to obtain feature data; and comparing the characteristic data with a preset CVE vulnerability database through the Clair tool, and inquiring vulnerability data. The embodiment of the disclosure can realize automatic scanning of the vulnerability data of the container mirror image and improve the vulnerability scanning accuracy.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a container mirror image detection method and apparatus, an electronic device, and a storage medium.
Background
With the development of computers, related mirror image products are increasing, wherein common mirror image products comprise container mirrors. The container mirror is a static resource stored in a mirror server, and the container mirror is a special file system obtained by performing standardized encapsulation on the code of an application program and the running environment thereof. And the container is operated based on the container mirror, and the container mirror is operated in the container form through the starting command. That is, if a container mirror image is abnormal (for example, there is loophole data in the container mirror image), the corresponding container also has insecure influence, which may cause a hacker to tamper with the mirror image data and implant malicious code to implement an attack.
Disclosure of Invention
The disclosure provides a container mirror image detection method and device, an electronic device, and a storage medium, which can automatically scan vulnerability data of a container mirror image, and improve vulnerability scanning accuracy to improve container security.
To achieve the above object, a first aspect of the present disclosure provides a container mirror image detection method, including:
acquiring a mirror image of an original container to be detected;
packaging the original container mirror image to obtain a primary container mirror image;
decompressing the preliminary container mirror image to obtain the target container mirror image;
performing feature extraction on the target container mirror image through a Clair tool to obtain feature data;
and comparing the characteristic data with a preset CVE vulnerability database through the Clair tool, and inquiring vulnerability data.
In some embodiments, the method further comprises:
marking the target container mirror image;
pushing the marked target container mirror image;
and scanning the pushed target container mirror image.
In some embodiments, the method further comprises:
if the vulnerability data is inquired, generating a vulnerability report; the vulnerability report comprises vulnerability current version information and repair version information.
In some embodiments, the method further comprises:
generating an updated basic mirror image according to the vulnerability report and a preset current basic mirror image; the update base image is used for repairing the vulnerability data.
In some embodiments, the target container image comprises a hierarchical file and a description file, the hierarchical file being target container image hierarchical data, the method further comprising:
calling each description file;
and submitting the target container mirror image hierarchical data according to the sequence of each description file.
In some embodiments, the method further comprises:
acquiring the running state of a warehouse where the target container mirror image is located;
and if the running state of the warehouse where the target container mirror image is in a normal state, pulling the target container mirror image.
In some embodiments, the method further comprises:
and clearing the packaged file after the scanning is successful, wherein the packaged file is a tar packet.
To achieve the above object, a second aspect of the present disclosure provides a container mirror image detection apparatus, including:
the mirror image acquisition module is used for acquiring a mirror image of an original container to be detected;
the mirror image packaging module is used for packaging the original container mirror image to obtain a primary container mirror image;
the mirror image decompression module is used for decompressing the primary container mirror image to obtain the target container mirror image;
the characteristic extraction module is used for carrying out characteristic extraction on the target container mirror image through a Clair tool to obtain characteristic data;
and the mirror image scanning module is used for comparing the characteristic data with a preset CVE vulnerability database through the Clair tool and inquiring vulnerability data.
To achieve the above object, a third aspect of the present disclosure provides an electronic device, including:
at least one memory;
at least one processor;
at least one program;
the program is stored in a memory and a processor executes the at least one program to implement the method of the present disclosure as described in the above first aspect.
To achieve the above object, a fourth aspect of the present disclosure proposes a storage medium that is a computer-readable storage medium storing computer-executable instructions for causing a computer to perform:
a method as described in the first aspect above.
According to the container mirror image detection method and device, the electronic device and the storage medium, the original container mirror image to be detected is obtained, the original container mirror image is packaged, the packaged primary container mirror image is decompressed, the target container mirror image obtained after decompression is subjected to feature extraction through a Clair tool, feature data subjected to feature extraction is compared with a preset CVE vulnerability database, vulnerability data are inquired, and therefore vulnerability data of the container mirror image can be automatically scanned, the vulnerability scanning accuracy is improved, and container safety is improved.
Drawings
Fig. 1 is a flowchart of a container mirror detection method provided in an embodiment of the present disclosure.
Fig. 2 is a partial flowchart of a container mirror detection method according to another embodiment of the disclosure.
Fig. 3 is a functional block diagram of a container mirror image detection apparatus provided in an embodiment of the present disclosure.
Fig. 4 is a schematic diagram of a hardware structure of an electronic device provided in an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the present disclosure more clearly understood, the present disclosure is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the disclosure and are not intended to limit the disclosure.
It should be noted that although functional blocks are partitioned in a schematic diagram of an apparatus and a logical order is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the partitioning of blocks in the apparatus or the order in the flowchart. The terms first, second and the like in the description and in the claims, and the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. The terminology used herein is for the purpose of describing embodiments of the disclosure only and is not intended to be limiting of the disclosure.
First, several terms and techniques involved in the present disclosure are resolved:
common Vulnerabilities and Exposures (Common Vulnerabilities & Exposuers, CVE): CVE is an internationally known library of security vulnerabilities and is also a list of standardized names for known vulnerabilities and security flaws; the CVE is similar to a dictionary table, and gives a public name for widely recognized information security vulnerabilities or exposed vulnerabilities; the common name is used for helping the user share data in various independent vulnerability databases and vulnerability assessment tools; if there is a vulnerability indicated in a vulnerability report, you can quickly find the corresponding fix information in any other CVE-compatible database if there is a CVE name, solving the security problem.
Container (container): a container refers to a series of processes isolated from the rest of the system, run from another image, and the image provides all the files needed to support the processes; the mirror image provided by the container contains all the dependent items of the application, so that the mirror image has portability and consistency in the whole process from development to test to production; the container is a unified platform for constructing, distributing and operating the application program and is used for realizing automatic installation, deployment and upgrading of the application program.
Clair: the Clair architecture mainly comprises the following six modules: the method comprises the steps that firstly, an acquirer (Fetcher) is used for collecting vulnerability data from a common source; a Detector (Detector) for indicating features contained in the container image; third, the container formatter (Image Format) is a container mirror Format known by Clair, and includes Docker and ACI; fourth, notify the Hook (Notification Hook), notify users/machines when new vulnerability is discovered or existing vulnerability changes; fifthly, storing each layer and vulnerability in the container by a database; sixthly, Worker, each Post Layer starts a Worker to perform Layer Detect. The Clair vessel is a scanning tool.
Tomcat container: for providing a download address to the hierarchy of images.
Postgres container: and storing vulnerability-characteristic matching data.
Docker: refers to a containerization technique for supporting the creation and experiment of Linux containers; docker is an open source application container engine that runs containers; by means of Docker, the container can be used as a light-weight modularized virtual machine, and meanwhile, high flexibility is obtained, so that efficient creation, deployment and copying of the container are realized, and the container can be smoothly migrated from one environment to another environment; docker is an open source application container engine, so that developers can pack their applications and rely on the packages to a portable mirror image, and then release the application to any popular Linux or Windows machine, and can also realize virtualization; the containers may use the sandbox mechanism entirely without any interface between each other. In general, a complete Docker consists of the following parts: a Docker Client, a Docker Daemon, a Docker Image, and a Docker Container.
Registration: and (5) mirror image storage.
Docker Registry: is a Docker mirror repository, i.e. a repository storing Docker mirrors.
Mirror warehouse harbor: is a container mirror warehouse, and the hardor is correspondingly extended on the Docker Registry.
Web hook (Webhook): the method is a method for increasing or changing the webpage performance by self-defining a callback function; these callbacks may be saved, modified and managed by third party users and developers who may be related to the original website or application; when the event occurs, the original website sends an HTTP request to a URL configured for the network hook; the user may configure the behavior they cause to events on the web page to invoke another web site.
The embodiment of the present disclosure provides a container mirror image detection method and apparatus, an electronic device, and a read storage medium, which are specifically described with reference to the following embodiments, and a container mirror image detection method in the embodiment of the present disclosure is first described.
The container mirror image detection method provided by the embodiment of the disclosure can be applied to a terminal, a server side and software running in the terminal or the server side. In some embodiments, the terminal may be a smartphone, tablet, laptop, desktop computer, smart watch, or the like; the server side can be configured into an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and cloud servers for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN (content delivery network) and big data and artificial intelligence platforms; the software may be an application or the like implementing a container mirror detection method, but is not limited to the above form.
Fig. 1 is an alternative flowchart of a container image detection method provided in an embodiment of the present disclosure, where the method in fig. 1 includes steps 101 to 105.
101, acquiring a mirror image of an original container to be detected;
102, packaging the original container mirror image to obtain a primary container mirror image;
103, decompressing the primary container mirror image to obtain a target container mirror image;
104, performing feature extraction on the target container mirror image through a Clair tool to obtain feature data;
and 105, comparing the characteristic data with a preset CVE vulnerability database through a Clair tool, and inquiring vulnerability data.
In some embodiments, the CVE vulnerability database includes Postgres containers.
In a specific application scenario, before the container mirror image detection method provided by the embodiment of the present disclosure is executed, a container needs to be started first, where the container needing to be started includes a Tomcat container, a Postgres container, and a Clair container; wherein, the Tomcat container is used for providing a download address for the container mirror image hierarchy; the Postgres container is used for storing vulnerability-feature matching data; the Clair vessel is a scanning tool. Specifically, the start-up Clair vessel may be: creating a new directory/opt/default/client/config, and creating a new file config.yml under the directory; and configures corresponding ports, for example, a scan port 6060 and an inspection port 6061.
Still further, Postgres containers must be started before Clair containers, otherwise Clair cannot be connected to the database, resulting in a direct shutdown of the container.
In step 105, the vulnerability data is queried by comparing the feature data with vulnerability-feature matching data stored in the Postgres container.
In addition, in the embodiment of the present disclosure, before performing the scanning, the environmental parameters need to be configured, which specifically includes:
building a corresponding virtual machine;
constructing a harbor private warehouse;
a Clair tool is integrated.
Specifically, constructing a harbor private warehouse comprises: installing docker and dockee-compound, installing Harbor, modifying configuration files (e.g., modifying virtual machine IP addresses).
In step 102 of some embodiments, the primary container mirror image obtained by packing the primary container mirror image is a tar packet; where tar is a packaging tool, and the generated package is usually referred to as tar package, also using tar as an extension.
In some embodiments, the target container image comprises a hierarchical file and a description file; the hierarchical file mirrors the hierarchical data for the target container.
In step 103 of some embodiments, the tar packet is decompressed to a ROOT directory (ROOT directory) of tomcat, and a hierarchical file and a description file of each mirror image are obtained.
Referring to fig. 2, in some embodiments, the container image detection method further includes steps 201 to 203:
and step 203, scanning the pushed target container mirror image. Specifically, after step 203, step 104 is performed.
In some embodiments, before step 201, the method for detecting container mirroring further comprises:
the target container mirror image to be scanned is pulled. Specifically, in a specific application scenario, in a new project, a target container mirror image to be scanned is pulled into the new project, and then the pulled target container mirror image is marked.
In some embodiments, the container mirror detection method further comprises:
if the vulnerability data is inquired, generating a vulnerability report; the vulnerability report comprises vulnerability current version information and repair version information.
Specifically, the CVE vulnerability database is associated through version information, and vulnerability data existing in the target container mirror image is summarized.
In some embodiments, the method further comprises:
generating an updated basic mirror image according to the vulnerability report and a preset current basic mirror image; and updating the basic mirror image for repairing the bug data.
After step 103, the method for detecting the mirror image of the container further includes:
calling each description file;
and submitting the target container mirror image hierarchical data according to the sequence of the description file.
Specifically, the target container is submitted through the Clair API according to the hierarchy of the description files to mirror the hierarchical data. Specifically, when target container mirror image hierarchical data is submitted through the Clair API, if postLayers are false, since the target container mirror image hierarchical data has already been submitted at this time, vulnerabilities can be directly queried by using the ID number of the last layer. And the postgres container stores the searched mirror image loopholes, submits the mirror image hierarchical data of the target container, and can acquire the loophole data by using the ID number of the last layer.
Furthermore, since a hierarchical description file (manifest. json) of the target container image needs to be left, the hierarchical description file stores hierarchical information of the target container image, including a hierarchical ID number, an address of a hierarchical tar packet, and the like; therefore, the ID number of the last layer can be acquired according to the layered description file, and the Clair API is called to directly acquire the scanning result of the target container mirror image. If the scanning result is stored in the CVE vulnerability database separately, the whole decompressed directory can be deleted after the scanning is successful.
In some embodiments, the target container image is located in an image warehouse, and the container image detection method further includes:
acquiring the running state of a warehouse where a target container mirror image is located;
and if the running state of the warehouse where the target container mirror image is in a normal state, pulling the target container mirror image.
And if the running state of the warehouse where the target container mirror image is located is an abnormal state, the target container mirror image cannot be pulled.
In some embodiments, the container mirror image detection method further comprises:
detecting the running states of a disconnected tomcat container, a container and a postgres container;
and if the running state of at least one of the tomcat container, the container and the postgres container is an abnormal state, performing early warning prompt.
Specifically, if the operation state of the warehouse where the target container image is located is a normal state, and the operation states of the container and postgres container are normal states. If any abnormal state occurs, the Clair tool can automatically pull the vulnerability data to be inserted into the CVE vulnerability database, and the Clair tool cannot pull the vulnerability data and carries out corresponding early warning prompt. The embodiment of the disclosure does not limit the manner of the early warning prompt.
In some embodiments, the container mirror image detection method further comprises:
and recording and intercepting the target container mirror image of which the vulnerability data is inquired. Specifically, if the vulnerability data is queried, recording and intercepting a target container mirror image of the queried vulnerability data, and avoiding deployment of the target container mirror image with the vulnerability data. In the embodiment of the disclosure, the target container mirror image of the searched vulnerability data is recorded and intercepted through Webhook, so that the safety of the container is improved.
In some embodiments, the container mirror image detection method further comprises:
clearing the packaged files after the scanning is successful, wherein the packaged files are tar packets; specifically, all the decompressed tar packet files are cleaned, so that the storage space is released; because a large amount of tar packet files are stored under the decompressed directory, if the tar packet files are not cleaned in time, the decompressed directory is likely to be abnormally huge, for example, after one mirror image scanning is executed, 30G of tar packet files may be generated, and if the tar packet files are not cleaned in time, a large storage space is occupied.
In the embodiment of the disclosure, a Clair tool of a mirror image warehouse is integrated, and a hardoraPI interface is packaged at a Clair API application server, so that the safe scanning of container mirror images is realized, the Clair tool performs vulnerability matching scanning according to a CVE (composite virtual environment) resource library, file systems in all mirror images are traversed, and whether software packages contain vulnerability data or not is checked one by one; in the disclosed embodiment, all the mirror images can also be scanned by setting a timing scan (for example, in units of days, weeks, or months).
To achieve the above object, referring to fig. 3, a second aspect of the present disclosure provides a container mirror image detection apparatus for implementing the container mirror image detection method, where the container mirror image detection apparatus includes:
a mirror image obtaining module 301, configured to obtain a mirror image of an original container to be detected;
a mirror image packaging module 302, configured to package the original container mirror image to obtain a preliminary container mirror image;
a mirror image decompression module 303, configured to decompress the preliminary container mirror image to obtain a target container mirror image;
the feature extraction module 304 is used for performing feature extraction on the target container mirror image through a Clair tool to obtain feature data;
and the mirror image scanning module 305 is configured to compare the feature data with a preset CVE vulnerability database through a Clair tool, and query vulnerability data.
According to the container mirror image detection method provided by the embodiment of the disclosure, the original container mirror image to be detected is obtained, the original container mirror image is packaged, the packaged primary container mirror image is decompressed, the target container mirror image obtained after decompression is subjected to feature extraction through a Clair tool, feature data subjected to feature extraction is compared with a preset CVE vulnerability database, and vulnerability data is inquired, so that automatic scanning of vulnerability data of the container mirror image can be realized, vulnerability scanning accuracy is improved, and container safety is improved. The embodiment of the disclosure also can release the storage space by cleaning the packed file after the scanning is successful. In addition, the target container mirror image of the searched vulnerability data is recorded and intercepted through the Webhook, and the safety of the container is improved.
An embodiment of the present disclosure further provides an electronic device, including:
at least one memory;
at least one processor;
at least one program;
the program is stored in the memory, and the processor executes the at least one program to implement the container image detection method of the embodiment of the present disclosure. The electronic device can be any intelligent terminal including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA for short), a vehicle-mounted computer and the like.
Referring to fig. 4, fig. 4 illustrates a hardware structure of an electronic device according to another embodiment, where the electronic device includes:
the processor 401 may be implemented by a general-purpose CPU (central processing unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, and is configured to execute a relevant program to implement the technical solution provided by the embodiment of the present disclosure;
the memory 402 may be implemented in the form of a ROM (read only memory), a static memory device, a dynamic memory device, or a RAM (random access memory). The memory 402 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present disclosure is implemented by software or firmware, the relevant program codes are stored in the memory 402 and called by the processor 401 to execute the container image detection method according to the embodiments of the present disclosure;
an input/output interface 403 for implementing information input and output;
the communication interface 404 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g., USB, network cable, etc.) or in a wireless manner (e.g., mobile network, WIFI, bluetooth, etc.); and
a bus 405 that transfers information between the various components of the device (e.g., the processor 401, memory 402, input/output interface 403, and communication interface 404);
wherein the processor 401, the memory 402, the input/output interface 403 and the communication interface 404 are communicatively connected to each other within the device by a bus 405.
The embodiment of the disclosure also provides a computer-readable storage medium, and the computer-executable instructions are used for executing the container image detection method.
The container mirror image detection method and device, the electronic device and the computer-readable storage medium provided by the embodiment of the disclosure can automatically scan the vulnerability data of the container mirror image and improve the vulnerability scanning accuracy by acquiring the original container mirror image to be detected, packaging the original container mirror image, decompressing the packaged primary container mirror image, extracting the characteristics of the decompressed target container mirror image by a Clair tool, comparing the characteristic data extracted by the characteristics with a preset CVE vulnerability database, and inquiring the vulnerability data. The embodiment of the disclosure also can release the storage space by cleaning the packed file after the scanning is successful. In addition, the target container mirror image of the searched vulnerability data is recorded and intercepted through the Webhook, and the safety of the container is improved.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The embodiments described in the embodiments of the present disclosure are for more clearly illustrating the technical solutions of the embodiments of the present disclosure, and do not constitute a limitation to the technical solutions provided in the embodiments of the present disclosure, and it is obvious to those skilled in the art that the technical solutions provided in the embodiments of the present disclosure are also applicable to similar technical problems with the evolution of technology and the emergence of new application scenarios.
The above-described embodiments of the apparatus are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
One of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "first," "second," "third," "fourth," and the like in the description of the disclosure and in the above-described figures, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It is to be understood that in the present disclosure, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided in the present disclosure, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes multiple instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present disclosure. And the aforementioned storage medium includes: various media capable of storing programs, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The preferred embodiments of the present disclosure have been described above with reference to the accompanying drawings, and therefore do not limit the scope of the claims of the embodiments of the present disclosure. Any modifications, equivalents and improvements within the scope and spirit of the embodiments of the present disclosure should be considered within the scope of the claims of the embodiments of the present disclosure by those skilled in the art.
Claims (10)
1. A method of container mirror image inspection, comprising:
acquiring a mirror image of an original container to be detected;
packaging the original container mirror image to obtain a primary container mirror image;
decompressing the preliminary container mirror image to obtain the target container mirror image;
performing feature extraction on the target container mirror image through a Clair tool to obtain feature data;
and comparing the characteristic data with a preset CVE vulnerability database through the Clair tool, and inquiring vulnerability data.
2. The method of claim 1, further comprising:
marking the target container mirror image;
pushing the marked target container mirror image;
and scanning the pushed target container mirror image.
3. The method of claim 1, further comprising:
if the vulnerability data is inquired, generating a vulnerability report; the vulnerability report comprises vulnerability current version information and repair version information.
4. The method of claim 3, further comprising:
generating an updated basic mirror image according to the vulnerability report and a preset current basic mirror image; the update base image is used for repairing the vulnerability data.
5. The method of any of claims 1 to 4, wherein the target container image comprises a hierarchical file and a description file, the hierarchical file mirroring hierarchical data for the target container, the method further comprising:
calling each description file;
and submitting the target container mirror image hierarchical data according to the sequence of each description file.
6. The method of any one of claims 1 to 4, further comprising:
acquiring the running state of a warehouse where the target container mirror image is located;
and if the running state of the warehouse where the target container mirror image is in a normal state, pulling the target container mirror image.
7. The method according to any one of claims 2 to 4, further comprising:
and clearing the packaged file after the scanning is successful, wherein the packaged file is a tar packet.
8. A container mirror image inspection device, comprising:
the mirror image acquisition module is used for acquiring a mirror image of an original container to be detected;
the mirror image packaging module is used for packaging the original container mirror image to obtain a primary container mirror image;
the mirror image decompression module is used for decompressing the primary container mirror image to obtain the target container mirror image;
the characteristic extraction module is used for carrying out characteristic extraction on the target container mirror image through a Clair tool to obtain characteristic data;
and the mirror image scanning module is used for comparing the characteristic data with a preset CVE vulnerability database through the Clair tool and inquiring vulnerability data.
9. An electronic device, comprising:
at least one memory;
at least one processor;
at least one program;
the program is stored in the memory, the processor executing the at least one program to implement the method of any one of claims 1 to 7.
10. A storage medium that is a computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform:
the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011565572.6A CN112613041A (en) | 2020-12-25 | 2020-12-25 | Container mirror image detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011565572.6A CN112613041A (en) | 2020-12-25 | 2020-12-25 | Container mirror image detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112613041A true CN112613041A (en) | 2021-04-06 |
Family
ID=75248155
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011565572.6A Pending CN112613041A (en) | 2020-12-25 | 2020-12-25 | Container mirror image detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112613041A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113239353A (en) * | 2021-04-15 | 2021-08-10 | 上海交通大学 | Content difference-based container software security detection system and method |
| CN113378030A (en) * | 2021-05-18 | 2021-09-10 | 上海德衡数据科技有限公司 | Search method of search engine, search engine architecture, device and storage medium |
| CN113407935A (en) * | 2021-06-16 | 2021-09-17 | 中国光大银行股份有限公司 | File detection method and device, storage medium and server |
| CN113642004A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Container mirror image security scanning and repairing method, device and equipment |
| CN113656809A (en) * | 2021-09-01 | 2021-11-16 | 京东科技信息技术有限公司 | Mirror image security detection method, device, equipment and medium |
| CN113656241A (en) * | 2021-07-20 | 2021-11-16 | 国网天津市电力公司 | System and method for managing and controlling full life cycle of container terminal |
| CN113849808A (en) * | 2021-08-19 | 2021-12-28 | 苏州浪潮智能科技有限公司 | Container safety management method, system, terminal and storage medium |
| CN116431276A (en) * | 2023-02-28 | 2023-07-14 | 港珠澳大桥管理局 | Container security protection method, device, computer equipment and storage medium |
| CN116523077A (en) * | 2023-06-27 | 2023-08-01 | 国网汇通金财(北京)信息科技有限公司 | Early warning method, device, equipment and storage medium based on container technology |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN111610989A (en) * | 2020-06-17 | 2020-09-01 | 中国人民解放军国防科技大学 | Application release/update method and system for offline container cloud environment |
| CN111880497A (en) * | 2020-07-23 | 2020-11-03 | 常州信息职业技术学院 | Intelligent manufacturing equipment control system based on container |
| US20200364039A1 (en) * | 2019-05-14 | 2020-11-19 | International Business Machines Corporation | Managing software programs |
| CN112084496A (en) * | 2020-09-02 | 2020-12-15 | 浪潮云信息技术股份公司 | Clair-based mirror image security scanning method |
-
2020
- 2020-12-25 CN CN202011565572.6A patent/CN112613041A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automatic penetration testing system and method for WEB system |
| US20200364039A1 (en) * | 2019-05-14 | 2020-11-19 | International Business Machines Corporation | Managing software programs |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN111610989A (en) * | 2020-06-17 | 2020-09-01 | 中国人民解放军国防科技大学 | Application release/update method and system for offline container cloud environment |
| CN111880497A (en) * | 2020-07-23 | 2020-11-03 | 常州信息职业技术学院 | Intelligent manufacturing equipment control system based on container |
| CN112084496A (en) * | 2020-09-02 | 2020-12-15 | 浪潮云信息技术股份公司 | Clair-based mirror image security scanning method |
Non-Patent Citations (2)
| Title |
|---|
| 袁波 等主编: "《云应用***开发技术》", 31 July 2017, 西安电子科技大学出版社, pages: 128 - 130 * |
| 魏兴慎;苏大威;屠正伟;刘苇;祁龙云;吕小亮;杨斌;: "SecDr:一种内容安全的Docker镜像仓库", 计算机与现代化, no. 05, pages 74 - 77 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113239353A (en) * | 2021-04-15 | 2021-08-10 | 上海交通大学 | Content difference-based container software security detection system and method |
| CN113378030A (en) * | 2021-05-18 | 2021-09-10 | 上海德衡数据科技有限公司 | Search method of search engine, search engine architecture, device and storage medium |
| CN113378030B (en) * | 2021-05-18 | 2022-09-20 | 上海德衡数据科技有限公司 | Search method of search engine, search engine architecture, device and storage medium |
| CN113407935A (en) * | 2021-06-16 | 2021-09-17 | 中国光大银行股份有限公司 | File detection method and device, storage medium and server |
| CN113656241B (en) * | 2021-07-20 | 2023-10-31 | 国网天津市电力公司 | Container terminal full life cycle management and control system and method |
| CN113656241A (en) * | 2021-07-20 | 2021-11-16 | 国网天津市电力公司 | System and method for managing and controlling full life cycle of container terminal |
| CN113642004A (en) * | 2021-08-11 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Container mirror image security scanning and repairing method, device and equipment |
| CN113642004B (en) * | 2021-08-11 | 2024-04-09 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for safely scanning and repairing container mirror image |
| CN113849808A (en) * | 2021-08-19 | 2021-12-28 | 苏州浪潮智能科技有限公司 | Container safety management method, system, terminal and storage medium |
| CN113849808B (en) * | 2021-08-19 | 2023-08-25 | 苏州浪潮智能科技有限公司 | Container security management method, system, terminal and storage medium |
| CN113656809A (en) * | 2021-09-01 | 2021-11-16 | 京东科技信息技术有限公司 | Mirror image security detection method, device, equipment and medium |
| CN116431276A (en) * | 2023-02-28 | 2023-07-14 | 港珠澳大桥管理局 | Container security protection method, device, computer equipment and storage medium |
| CN116523077A (en) * | 2023-06-27 | 2023-08-01 | 国网汇通金财(北京)信息科技有限公司 | Early warning method, device, equipment and storage medium based on container technology |
| CN116523077B (en) * | 2023-06-27 | 2023-09-15 | 国网汇通金财(北京)信息科技有限公司 | Early warning method, device, equipment and storage medium based on container technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112613041A (en) | Container mirror image detection method and device, electronic equipment and storage medium | |
| CN107729352B (en) | Page resource loading method and terminal equipment | |
| Costin et al. | A {Large-scale} analysis of the security of embedded firmwares | |
| US9619650B2 (en) | Method and device for identifying virus APK | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| US20090241105A1 (en) | Detecting Applications in a Virtualization Environment | |
| CN108920359B (en) | Application program testing method and device, storage medium and electronic device | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| CN108829588B (en) | Processing method, deployment system and device for testing application program | |
| CN112860282A (en) | Upgrading method and device of cluster plug-in and server | |
| CN112860645A (en) | Processing method and device for offline compressed file, computer equipment and medium | |
| CN113268245A (en) | Code analysis method, device and storage medium | |
| CN111625834A (en) | System and method for detecting vulnerability of Docker mirror image file | |
| CN112149035A (en) | Website static resource processing method and device | |
| CN110928571A (en) | Business program development method and device | |
| US11941113B2 (en) | Known-deployed file metadata repository and analysis engine | |
| CN112241298A (en) | Page display method and device, storage medium and electronic device | |
| CN114328029A (en) | Backup method and device of application resources, electronic equipment and storage medium | |
| CN111181914B (en) | Method, device and system for monitoring internal data security of local area network and server | |
| CN114117434A (en) | Detection method and device | |
| CN112565472B (en) | Static resource processing method and device | |
| CN112559131A (en) | Method, device and equipment for updating container mirror image and computer readable storage medium | |
| CN111262934A (en) | File analysis method and device | |
| CN108345461B (en) | Application updating method and device and computer readable storage medium | |
| CN110837612A (en) | Method and device for acquiring Uniform Resource Identifier (URI) data and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |